Open lukehinds opened 3 years ago
There are growing number of options in the overall SBOM management, including:
1. When to generate SBOM : It could be pre-build
or post-build
. In pre-build
SBOM is generated in DevSecOps pipeline before building an image. And it is done by scanning source artifacts like Dockerfile, requirements.txt etc. In the post-build
, SBOM is generated after image is built, by scanning an image.
2. SBOM tool: Again, n number of open-source tools are available providing SBOM generation in various capacities
3. SBOM format: Currently, there are atleast 3 format options, viz. SPDX, CycloneDX, SWID. At the moment, there is no lossless conversion possible across them, which tells us that they differ significantly in the specs.
4. SBOM persistence: There's solid solution available with cosign
to attach SBOM to an image and store it in OCI registry.
In the scope of this work, I would suggest following:
pre-build
and post-build
stages. We use one of the existing open-source tool or commercial tool to do that. JSON
format to document SBOM. Ensure we can do lossless conversion from it to one of the "standard" format.cosign
to sign and attach SBOM to an image and persist in the same OCI registry as imageI am keen to start by capturing signed digests from the developer (python files, go binaries, tarballs etc) as we can perform decent attestations then.
One of the current issues with some of the predicates is that it's not possible to be sure the operation in the SBOM is what actually happened in reality.
With a digest of an artifact you have some form of reproducibility (received blob a has the digest "abcdef" and lhinds signed sent blob with digest "abcdef").
Yes, agree. Let's review our current SBOM capabilities and identify the gaps we need to address.
We need to figure out an initial lean SBOM format and establish if that can be ingested and meaningfully processed by actor in the chain